From 97ddd7dd40f6b9e1c83f15da4354d1434d362a77 Mon Sep 17 00:00:00 2001
From: monaghaa <33913248+monaghaa@users.noreply.github.com>
Date: Thu, 12 Feb 2026 11:03:30 -0700
Subject: [PATCH] Update policies.md with security logging information

Added logging details for security compliance on CU Boulder Research Computing resources.
---
 docs/additional-resources/policies.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/docs/additional-resources/policies.md b/docs/additional-resources/policies.md
index fb36d3d9..664cc12f 100644
--- a/docs/additional-resources/policies.md
+++ b/docs/additional-resources/policies.md
@@ -6,6 +6,19 @@
 
 Use of CU Research Computing resources is subject to the [CU Boulder OIT Acceptable Use Policy](https://www.colorado.edu/compliance/policies/acceptable-use-cu-boulders-it-resources) and as well as the policies noted below.  CU Research Computing resources may not be used for non-research purposes or for personal financial gain and/or commercial purposes, whether for-profit or nonprofit.
 
+For security compliance purposes, system activity on CU Boulder Research Computing resources is logged and retained for a minimum period of 90 days. Logged activity may include the following: 
+* Sudo command execution (privileged access)
+* Authentication events (successful and failed logins)
+* User session activity
+* Password changes
+* Failed access attempts
+* Security or privacy attribute changes
+* Administrative privilege usage
+* Personal Identity Verification (PIV) credential usage (where applicable)
+* Data action changes
+* Query parameters
+* External credential usage
+
 <br>
 
 ## Acceptable data storage and use on CURC resources